Thread: pgpool ssl handshake failure

pgpool ssl handshake failure

From
AI Rumman
Date:
Hi,

I am using pgpool-II version 3.4.3 (tataraboshi).
Where my database is Postgresql 8.4.

I am trying to configure ssl mode from client and between pgpool and database it is non-ssl.
I configured as document and now I am getting this in my log:
2015-10-13 22:17:58: pid 1857: LOG:  new connection received
2015-10-13 22:17:58: pid 1857: DETAIL:  connecting host=10.0.0.5 port=65326
2015-10-13 22:17:58: pid 1857: LOG:  pool_ssl: "SSL_read": "ssl handshake failure"
2015-10-13 22:17:58: pid 1857: ERROR:  unable to read data from frontend
2015-10-13 22:17:58: pid 1857: DETAIL:  socket read failed with an error "Success"

Please let me know what wrong I am doing.

Thanks & Regards.

Re: pgpool ssl handshake failure

From
Adrian Klaver
Date:
On 10/15/2015 06:59 AM, AI Rumman wrote:
> Hi,
>
> I am using pgpool-II version 3.4.3 (tataraboshi).
> Where my database is Postgresql 8.4.

Probably already know, but 8.4 is approximately 1.25 years beyond EOL:

http://www.postgresql.org/support/versioning/

>
> I am trying to configure ssl mode from client and between pgpool and
> database it is non-ssl.

What is non-ssl, the database or pgpool?

> I configured as document and now I am getting this in my log:
>
>     /2015-10-13 22:17:58: pid 1857: LOG:  new connection received
>     //2015-10-13 22:17:58: pid 1857: DETAIL:  connecting host=10.0.0.5
>     port=65326
>     //2015-10-13 22:17:58: pid 1857: LOG:  pool_ssl: "SSL_read": "ssl
>     handshake failure"
>     //2015-10-13 22:17:58: pid 1857: ERROR:  unable to read data from
>     frontend
>     //2015-10-13 22:17:58: pid 1857: DETAIL:  socket read failed with an
>     error "Success"/
>
> Please let me know what wrong I am doing.

Not quite sure but given the below from the 9.5 Release Notes:

"
Remove server configuration parameter ssl_renegotiation_limit, which was
deprecated in earlier releases (Andres Freund)

While SSL renegotiation is a good idea in theory, it has caused enough
bugs to be considered a net negative in practice, and it is due to be
removed from future versions of the relevant standards. We have
therefore removed support for it from PostgreSQL."

I would check to see what  ssl_renegotiation_limit is set to:

http://www.postgresql.org/docs/8.4/static/runtime-config-connection.html

and if it is not set to 0, then try that.


>
> Thanks & Regards.
>


--
Adrian Klaver
adrian.klaver@aklaver.com


Re: pgpool ssl handshake failure

From
AI Rumman
Date:
I configured Postgresql 9.4 and still getting the same error.

Thanks.

On Thu, Oct 15, 2015 at 7:16 AM, Adrian Klaver <adrian.klaver@aklaver.com> wrote:
On 10/15/2015 06:59 AM, AI Rumman wrote:
Hi,

I am using pgpool-II version 3.4.3 (tataraboshi).
Where my database is Postgresql 8.4.

Probably already know, but 8.4 is approximately 1.25 years beyond EOL:

http://www.postgresql.org/support/versioning/


I am trying to configure ssl mode from client and between pgpool and
database it is non-ssl.

What is non-ssl, the database or pgpool?

I configured as document and now I am getting this in my log:

    /2015-10-13 22:17:58: pid 1857: LOG:  new connection received
    //2015-10-13 22:17:58: pid 1857: DETAIL:  connecting host=10.0.0.5
    port=65326
    //2015-10-13 22:17:58: pid 1857: LOG:  pool_ssl: "SSL_read": "ssl
    handshake failure"
    //2015-10-13 22:17:58: pid 1857: ERROR:  unable to read data from
    frontend
    //2015-10-13 22:17:58: pid 1857: DETAIL:  socket read failed with an
    error "Success"/

Please let me know what wrong I am doing.

Not quite sure but given the below from the 9.5 Release Notes:

"
Remove server configuration parameter ssl_renegotiation_limit, which was deprecated in earlier releases (Andres Freund)

While SSL renegotiation is a good idea in theory, it has caused enough bugs to be considered a net negative in practice, and it is due to be removed from future versions of the relevant standards. We have therefore removed support for it from PostgreSQL."

I would check to see what  ssl_renegotiation_limit is set to:

http://www.postgresql.org/docs/8.4/static/runtime-config-connection.html

and if it is not set to 0, then try that.



Thanks & Regards.



--
Adrian Klaver
adrian.klaver@aklaver.com

Re: pgpool ssl handshake failure

From
Adrian Klaver
Date:
On 10/15/2015 09:36 AM, AI Rumman wrote:
> I configured Postgresql 9.4 and still getting the same error.

Configured what?

Or more to the point what is ssl_renegotiation_limit set to?

>
> Thanks.
>
> On Thu, Oct 15, 2015 at 7:16 AM, Adrian Klaver
> <adrian.klaver@aklaver.com <mailto:adrian.klaver@aklaver.com>> wrote:
>
>     On 10/15/2015 06:59 AM, AI Rumman wrote:
>
>         Hi,
>
>         I am using pgpool-II version 3.4.3 (tataraboshi).
>         Where my database is Postgresql 8.4.
>
>
>     Probably already know, but 8.4 is approximately 1.25 years beyond EOL:
>
>     http://www.postgresql.org/support/versioning/
>
>
>         I am trying to configure ssl mode from client and between pgpool and
>         database it is non-ssl.
>
>
>     What is non-ssl, the database or pgpool?
>
>         I configured as document and now I am getting this in my log:
>
>              /2015-10-13 22:17:58: pid 1857: LOG:  new connection received
>              //2015-10-13 22:17:58: pid 1857: DETAIL:  connecting
>         host=10.0.0.5
>              port=65326
>              //2015-10-13 22:17:58: pid 1857: LOG:  pool_ssl:
>         "SSL_read": "ssl
>              handshake failure"
>              //2015-10-13 22:17:58: pid 1857: ERROR:  unable to read
>         data from
>              frontend
>              //2015-10-13 22:17:58: pid 1857: DETAIL:  socket read
>         failed with an
>              error "Success"/
>
>         Please let me know what wrong I am doing.
>
>
>     Not quite sure but given the below from the 9.5 Release Notes:
>
>     "
>     Remove server configuration parameter ssl_renegotiation_limit, which
>     was deprecated in earlier releases (Andres Freund)
>
>     While SSL renegotiation is a good idea in theory, it has caused
>     enough bugs to be considered a net negative in practice, and it is
>     due to be removed from future versions of the relevant standards. We
>     have therefore removed support for it from PostgreSQL."
>
>     I would check to see what  ssl_renegotiation_limit is set to:
>
>     http://www.postgresql.org/docs/8.4/static/runtime-config-connection.html
>
>     and if it is not set to 0, then try that.
>
>
>
>         Thanks & Regards.
>
>
>
>     --
>     Adrian Klaver
>     adrian.klaver@aklaver.com <mailto:adrian.klaver@aklaver.com>
>
>


--
Adrian Klaver
adrian.klaver@aklaver.com


Re: pgpool ssl handshake failure

From
Tatsuo Ishii
Date:
> Hi,
>
> I am using pgpool-II version 3.4.3 (tataraboshi).
> Where my database is Postgresql 8.4.
>
> I am trying to configure ssl mode from client and between pgpool and
> database it is non-ssl.
> I configured as document and now I am getting this in my log:
>
>>
>> *2015-10-13 22:17:58: pid 1857: LOG:  new connection received*
>> *2015-10-13 22:17:58: pid 1857: DETAIL:  connecting host=10.0.0.5
>> port=65326*
>> *2015-10-13 22:17:58: pid 1857: LOG:  pool_ssl: "SSL_read": "ssl handshake
>> failure"*
>> *2015-10-13 22:17:58: pid 1857: ERROR:  unable to read data from frontend**2015-10-13
>> 22:17:58: pid 1857: DETAIL:  socket read failed with an error "Success"*
>
> Please let me know what wrong I am doing.

Works for me using psql coming with PostgreSQL 9.4.5 and pgpool-II 3.4.3.
(This is Ubuntu 14.04. PostgreSQL and pgpool-II are compiled from the
source code).

$ psql -p 11000 -h localhost test
psql (9.4.5)
SSL connection (protocol: TLSv1, cipher: AES256-SHA, bits: 256, compression: off)
Type "help" for help.

I don't think your old PostgreSQL 8.4 server is related to your
problem because you are trying to enable SSL between client and
pgpool, not pgpool and PostgreSQL server. However psql coming with
PostgreSQL 8.4 might be related to the problem. Why don't you try
newer version of psql (more precisely, newer libpq).

I assume your SSL setting is perfect. If you are not sure, please take
a look at FAQ:

http://pgpool.net/mediawiki/index.php/FAQ#How_can_I_set_up_SSL_for_pgpool-II.3F

Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp


Re: pgpool ssl handshake failure

From
Albe Laurenz
Date:
AI Rumman wrote:
> I am using pgpool-II version 3.4.3 (tataraboshi).
> Where my database is Postgresql 8.4.
> 
> I am trying to configure ssl mode from client and between pgpool and database it is non-ssl.
> I configured as document and now I am getting this in my log:
> 
>     2015-10-13 22:17:58: pid 1857: LOG:  new connection received
>     2015-10-13 22:17:58: pid 1857: DETAIL:  connecting host=10.0.0.5 port=65326
>     2015-10-13 22:17:58: pid 1857: LOG:  pool_ssl: "SSL_read": "ssl handshake failure"
>     2015-10-13 22:17:58: pid 1857: ERROR:  unable to read data from frontend
>     2015-10-13 22:17:58: pid 1857: DETAIL:  socket read failed with an error "Success"
> 
> Please let me know what wrong I am doing.

Does the problem occur immediately when you try to connect or only after some time?

If the latter, it may well be a renegotiation issue.
If the former, I can't guess.
WHat are the OpenSSL versions involved on both ends?

Yours,
Laurenz Albe